Transcription

2 About Delta Risk is a global provider of strategic advice, cyber security, and risk management services to commercial and government clients. We believe that an organization s approach to cyber security should be planned, managed, and executed within a tailored and organization-specific program. We help guide organizations to succeed in today s cyber environment by building on the people, processes, and technology they already have All rights reserved.

3 Law firms are high-value targets for hackers from all backgrounds including nation-states, cyber criminals, and even political activists. A s early as 2009, the Federal Bureau of Investigation warned law firms of cyber criminals using spear phishing attacks (targeted socially engineered s to lawyers and legal staff) to hack firms. 1 In 2011 it was reported that at least 80 prominent law firms were hacked. 2 The frequency and sophistication of these law firm cyber attacks continue to grow at an alarming rate; in 2013, FBI cyber security expert, Evan Koblentz publicly stated: We have hundreds of law firms that we see increasingly being targeted by hackers We understand that the cyber threat is our next great challenge. Cyber intrusions are all over the place, they re dangerous and they re much more sophisticated. 3 This Delta Risk Viewpoint offers the perspective that law firms should pursue a deliberate top-down and bottom-up cyber security program development approach that builds around an accepted risk management framework, yet is tailored to their size, structure, and operating model. A sample of several high-profile attacks underscores the value of the law firm as a target to a variety of actors, from nation-state and criminal to the political activist: In 2011, a prestigious Washington DC based law firm was attacked by a hacking group purportedly linked to the Chinese People s Liberation Army in a criminal operation known as Byzantine Candor. This sophisticated hacking group targeted energy companies, government agencies, and defense companies across the world for the purpose of gathering information related to an international trade case brought against a Chinese energy company and several Chinese exporters. The Chinese cyber unit targeted the firm because its lawyers were prosecuting some of these claims. Remarkably, the attackers were able to take complete 1 Spear Phishing s Target U.S. Law Firms and Public Relations Firms, United States Federal Bureau of Investigation, last modified Nov 17, 2009, 2 Michael A. Riley and Sophia Pearson, China-Based Hackers Target law Firms to Get Secret Deal Data, Bloomberg BusinessWeek, Jan 21, 2012, accessed Jan 15, Evan Koblentz, LegalTech Day Three: FBI Security Expert Urges Law Firm Caution, Law Technology News, Feb , accessed Jan ,http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id= &LegalTech_Day_Three_FBI_Security_Expert_Urges_Law_Firm_Caution. Page 1

4 control of the firm s system thereby exfiltrating thousands of pages of s, documents, and private communications. In 2012, a firm representing a US Marine Staff Sergeant charged with homicide for his alleged role in the 2005 Haditha Massacre was hacked by the global political hacktivist group known as Anonymous. Anonymous was able to exfiltrate 2.6 GB of attorney-client correspondence related to the firm s criminal representation of the defendant, which it then released to the public. In 2014, a small US law firm based in North Carolina fell prey to Cryptolocker ransomware that arrived through a phishing . The firm attempted to pay the demanded ransom, but failed to do so within the time limit, which left every single document on the firm s main server encrypted and ultimately useless to the firm. Cryptolocker is popular type of ransomware that encrypts all of the data files on the victim s computer, rendering them inaccessible. The attacker threatens to delete the encrypted data and asks for a sum of money in return for access. These types of attacks are successful precisely because the attackers understand the value of time in the legal business and what law firms are willing to do in order to rapidly restore workflow. A Hacker s Dream Cyber criminals are focused on law firms for one simple reason; law firms hold highly confidential and sensitive data including personal health information, trade secrets, intellectual property, corporate documents, and litigation strategies. In addition to being high-value cyber targets, law firms are inherently vulnerable due to the nature of the legal industry, as many lawyers do not fully appreciate the risk of data breaches. A 2012 American Bar Association technology survey found that only 9.6 percent of participants practicing in firms with lawyers believed that their firm had security issues, while 63.5 percent admitted that they had no knowledge or awareness of cyber security risks. 4 Moreover, with the now-widespread use of mobile technologies such as computer tablets and cell phones, clients expect their lawyers to be accessible and responsive at all times. To meet these client demands, many lawyers work remotely from the office, at home, in a hotel room, or even in coffee shops. As a result, the law firm threat profile has dramatically expanded. Finally, law firm economics lead to law firm cyber vulnerabilities. For non-partner attorneys, the billable hour model inherently promotes productivity and convenience over data security. Partners with an ownership interest are sometimes unwilling to spend resources on cyber security professionals and technology. A Lawyer s Nightmare The American Bar Association (ABA) has expressly acknowledged the emerging cyber risks confronting U.S. law firms. In , ABA President Laurel Bellows announced that cyber security would be a priority for the organization. 5 In addition to increasing ABA scrutiny, ABA Model Rule 1.6(c) imposes an 4 Legal InfoSec, Tiro Security, LLC, accessed Jan 15, 2015, 5 James Podgers, Threat of cyber attacks must be recognized and responded to, ABA president urges lawyers, ABA Journal, Feb 1, 2013, accessed Jan 15, 2015, Page 2

5 ethical duty on a lawyer to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. 6 Comment 18 of the Rule identifies the [f]actors to be considered in determining the reasonableness of the lawyer s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). In addition to ethical obligations, law firms have a legal duty to safeguard client data. For example, the Securities and Exchange Commission has issued guidance for publicly traded companies, requiring them to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity of those incidents. 7 Critical here, this guidance applies not only to publicly traded companies, but also to their business partners. 8 It is highly likely that a law firm doing any level of business with a publicly traded company qualifies as a business partner Similarly, law firms receiving or holding healthcare information qualify as business associates under the Health Insurance Portability and Accountability Act (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act.) As such, law firms handling healthcare information must implement reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of personal healthcare information against reasonably anticipated threats and unauthorized uses and disclosures. 9 Along with the federal laws identified above, lawyers must also comply with rapidly evolving state law. For example, Massachusetts requires [e]ncryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. 10 What to do Maintaining the confidentiality and security of client information is the bedrock of the legal profession. The ABA Cybersecurity Task Force warns that [i]t is critical for law offices to have appropriate data security because of the huge volume of data lawyers collect about companies and individuals and sets forth the following top considerations for law firm cyber security: Develop a Comprehensive Security Information Plan including technical, operational and management controls, which is specifically designed to prevent data breaches. Conduct a Risk Assessment to identify, prioritize, and address law firm cybersecurity vulnerabilities. Use Appropriate Encryption Technologies to protect data in transit ( ) and at rest (on servers or in the cloud). 6 ABA Model Rule 1.6(c) (Emphasis added). 7 CF Disclosure Guidance: Topic No.2: Cybersecurity U.S. Securities and Exchange Commission, Oct. 13, 2011, at 3 (Emphasis added) 8 Ibid. at U.S.C.A (d). (Emphasis added) CMR 17.04(3) (Emphasis added). Page 3

6 Utilize appropriate Mobile Device Management to protect confidential data sent to mobile devices including laptops, smart phones, and tablets. Use Multifactor Authentication to limit network access to authorized users. Develop a Data Retention and Destruction Plan to ensure that data is maintained for an appropriate amount of time and then properly disposed of when necessary. Conduct Table Top Exercises simulating potential data breach scenarios involving management and relevant decision makers. Designate and Train Internal First Responders who will take the lead during a potential or actual breach occurrence. 11 Key Take-Aways Cyber security is of critical importance to lawyers and their firms. The ABA Cybersecurity Task has identified cyber security cornerstone goals, which include the following: Data confidentiality This concerns the privacy of highly sensitive privileged information and in practice means preventing unauthorized disclosure of information. Data integrity The legal profession must be able to trust that the information they receive is consistent, accurate, and trustworthy. Law firms have always needed to ensure that unauthorized personnel are not able to alter data. Historically this may have come in the form of escorted messengers in the modern age, this could mean using version control measures or file permissions to prevent erroneous changes. Data availability The legal services industry is extremely time-sensitive and a loss of reliable access to information carries financial consequences. This means having redundancies in place and planning for hardware failures to ensure that backups are available if incidences of sudden data loss or interruptions occur. Delta Risk can help If your law firm is challenged with establishing a cyber security risk management program, Delta Risk may be able to help. We have expertise in developing enterprise information security programs and supporting the implementation of processes for risk management and the day-to-day management of cyber security operations. We can help you think through the ideas presented in this Viewpoint as they apply to your enterprise, understand and prioritize your cyber security challenges, and work with you to devise and implement tailored approaches to address them. 11 Jill D. Rhodes and Vincent I. Polley, The ABA Cybersecurity Handbook: a Resource for Attorneys, Law Firms, and Business Professionals (Chicago: American Bar Association, 2013), 27. Page 4

Email Data Security Jim Brashear General Counsel Zix Corporation Dallas Business Uses Email The dominant business communication tool Time spent on email exceeds time spent on all other communication tools

Flipping the Script: Law Firms Hunted by Cybercriminals Introduction As businesses put more resources into defending against cyber threats, cybercriminals have shifted tactics to focus on easier-to-exploit

This is not your grandfather s litigation. BUT ediscovery Services are not legal services. TYPES OF ETHICAL ISSUES THAT MIGHT ARISE IN THE CONTEXT OF ediscovery: Document collection Privacy issues Inadvertent

Brief The BakerHostetler Data Security Incident Response Report 2015 The rate of disclosures of security incidents in 2015 continues at a pace that caused many to call 2013 and then 2014 the year of the

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123 Cybersecurity: A Growing Concern for Small Businesses Copyright Materials This presentation is protected by US and International Copyright

SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,

Summary of the State of Security Tram Jewett, CISA CliftonLarsonAllen LLP Virginia GFOA Annual Spring Conference, 2016 1 1 Summary of the State of Security Tram Jewett, MS., CISA, 11 years IT audit and

Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Executive Overview Within the legal sector, IT system security and compliance have changed dramatically

The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

Your law firm depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine your practice without IT. Today,

30-SECOND SUMMARY As intelligent, interconnected devices become more widely available and increasingly host high-value information like a hospital patient s medical records the intrusion points for cyber

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law

Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?

The Significance of Information Security and Privacy Controls on Law Firms as Third Party Service Providers and Collaborative Opportunities for Resolution April 2015 Abstract As regulators increase pressure

Cyber-insurance: Understanding Your Risks Cyber-insurance represents a complete paradigm shift. The assessment of real risks becomes a critical part of the analysis. This article will seek to provide some

Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.

White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

At risk and unready in an interconnected world Key findings from The Global State of Information Security Survey 2015 Cyber attacks against power and utilities organizations have transitioned from theoretical

Storing Clients Files and Information in the Cloud: Lawyers Ethical Obligations under the Amended Model Rules of Professional Conduct A presentation by Sarah Jane Hughes University Scholar and Fellow in

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability Are you exposed to CyberRisk? Like nearly every other business, you have likely capitalized on the advancements in technology today

GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

Simplifying Security & Compliance Innovating IT Managed Services Data Security Threat Landscape and IT General Controls Audit Standards and IT General Controls General IT controls discussed in AUC Section

ProFESSIONAL COUNSELSM Advice and Insight into the Practice of Law Caution in the Cumulus: Lawyers Professional & Ethical Risks and Obligations Using the Cloud in Their Practice A Cna Professional Counsel

Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

1 TMCEC CYBER SECURITY TRAINING Agenda What is cyber-security? Why is cyber-security important? The essential role you play. Overview cyber security threats. Best practices in dealing with those threats.

Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

HIPAA Business Associate Agreement If Customer is a Covered Entity or a Business Associate and includes Protected Health Information in Customer Data (as such terms are defined below), execution of a license

Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete

Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA

(Plus 1 Fast Way to Find Them) Your practice depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers

Case 2:13-cv-01887-ES-JAD Document 282-1 Filed 12/09/15 Page 1 of 18 PageID: 4861 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY Federal Trade Commission, Plaintiff, v. Wyndham Worldwide

I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have

Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing

(Plus 1 Fast Way to Find Them) Your business depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine

CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring

To ensure the functioning of the site, we use cookies. We share information about your activities on the site with our partners and Google partners: social networks and companies engaged in advertising and web analytics. For more information, see the Privacy Policy and Google Privacy &amp Terms.
Your consent to our cookies if you continue to use this website.